cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
8
Replies

NAC 4.1 bridge loop occurs when both CAS NICs enabled

drbenham
Level 1
Level 1

I'm in the implementation phase of NAC 4.1.0.2 (OOB VGW with 3 HA CAS pairs and 1 HA CAM pair). I recently moved all 8 servers from a 2950 that I was using for testing to the 6509. Ever since, I've been experiencing an ARP storm when both eth0 and eth1 are plugged in on any of the second two CAS pairs. The trunk-allowed statements are all correct--they are pruning the vlans that are active on the other interface of that CAS.

I didn't experience any bridge loops when the servers were connected to the 2950.

6509 is running 12.2.18SXD7 and all interfaces are plugged into the same blade (only one copper blade in chassis).

Here's an example of a switch port config for both ends of the CAS on the 6509. 299 is the management VLAN for NAC.

[interface that CAS3, eth0 is attached]

description ***CCA CAS3 Trusted***

no ip address

switchport

switchport trunk allowed vlan 2-99,299

switchport mode trunk

no cdp enable

[interface that CAS3 eth1 is attached]

description ***CCA CAS3 Untrusted***

no ip address

switchport

switchport trunk allowed vlan 300-399

switchport mode trunk

no cdp enable

Any ideas?

Dave

8 Replies 8

oabduo983
Level 1
Level 1

Did you make sure you followed the guide step by step...

I faced this issue before, and you really had to unplug the trusted if until you finish and apply vlan mapping... otherwise you will most probably consider re-imaging the CAS...

Regards,

Thanks for the info. I've been (incorrectly?) unplugging the UNtrusted nic while applying all of the vlan mappings. If I've been misreading all of those docs this entire time, I'm going to be really upset. I'll try unplugging the trusted instead of the untrusted and see if I have better results.

Thanks,

Dave

You will have to unplug the untrust not the trust. you will use the trust interface to connect the CAS to the CAM...

Regards,

In that case, that is what I have done... I even deleted the CAS pair out of the CAM and re-added it (with the untrusted side unplugged). No joy.

jvr775
Level 1
Level 1

Hey Dave,

try setting each interface's native vlan to thier own respective setting. CAS3 eth0 to native vlan 998, CAS3 eth1 to native vlan 999

I'll give that a shot this week. Thanks for the idea...

I set the native vlans on the trusted side of all of the CASes and still get the same problem. The untrusted side doesn't really have a native vlan since clients get placed in about 40 different vlans, so I left that side unset.

Any other ideas?

Dave

Hi Dave

per documentation from Cisco, it says to configure the trusted/untrusted VGW (OOB/IB) CAS ports on different native vlans.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: